Ontario Updating Cyber Security, Privacy and Access Framework to Align More Closely with Jurisdictions Across Canada

Table of Contents

1. Content
2. Quick Facts
3. Additional Resources
4. Related Topics
5. Media Contacts

TORONTO - Ontario is taking action to better protect people's privacy, public information and sensitive data, including stronger safeguards for children's information. These updates will modernize the province's digital government and privacy framework by introducing enhanced cyber security rules for the broader public service as well as updated Freedom of Information (FOI) timelines and processes. The changes include the exclusion of cabinet ministers and their offices from FOI requirements, which will more closely align Ontario with the approach taken by other jurisdictions in Canada.

"After nearly 40 years, we are modernizing Ontario's privacy protections and bringing the province's technology practices into the 21st century," said Stephen Crawford, Minister of Public and Business Service Delivery and Procurement. "These updates will strengthen cyber security, protect cabinet confidentiality and ensure responsible modern governance."

Introduced in 1988, Ontario's current access and privacy framework has gone nearly four decades without any major updates and is no longer reflective of today's technology or digital practices. Designed before email, mobile devices and cloud-based systems became the norm, the outdated framework creates unnecessary privacy risks for both government and the public. While nearly every province and the federal government have modernized their legislation to adapt to the changing technological landscape, Ontario has fallen behind.

The updated framework will close longstanding gaps, strengthen cyber security, reduce red tape and better protect confidentiality by taking a number of actions, including:

Aligning Ontario's FOI framework:

• Excluding the records of the premier, cabinet ministers, parliamentary assistants and their offices under the Freedom of Information and Protection of Privacy Act (FIPPA). Ontario is currently one of only two jurisdictions in Canada (the other being Nova Scotia) without explicit protections for records belonging to cabinet ministers or their offices. This weakens clarity of protections for cabinet decision-making and undermines the confidentiality and candidness of discussions between ministers and their offices. Robust FOl requirements will remain in place, including when it comes to government decision-making in the form of direction from ministers and their offices to the public service.
• Updating legislation to require relevant institutions to provide reasonable, timely assistance to requesters when a request contains insufficient detail or requires further information.
• Codifying the practice of releasing voluminous requests in stages while processing continues in order to get information to requesters quickly and allow more time to process requests.
• Updating FOI timelines and terminology to provide clarity and certainty, including extending FOI response timelines to 45 business days and providing more flexibility to manage large volume and complex requests.

Strengthening cyber security and data protection to reflect modern day practices:

• Implementing enhanced cyber security rules for vital public services with mandatory cyber security practices for hospitals, school boards, children's aid societies and post-secondary institutions. This includes requiring school boards to notify parents or guardians when students' personal information is disclosed to third-party software, ensuring families have the information they need to make informed decisions.
• Requiring broader public sector organizations to complete cyber maturity assessments every two years, report critical incidents and designate a single point of contact in the event of a cyber security incident, enhancing the province's ability to prevent and respond to cyber-attacks.
• Allowing information contained in employee accounts to move between institutions or ministries when a public sector employee moves positions. This change would help employees within the Ontario Public Service move between ministries or positions without their email accounts being disrupted, helping them get on the job faster and with less disruption.

Together, these updates will help build a more responsible and secure digital framework for the province, enhancing information flow, cutting red tape and strengthening privacy protections to reflect how modern governments operate.

Quick Facts

Additional Resources

Related Topics